Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

that doesn't make sense to me, is osquery actually keeping track here, or is the way I'm running the query incorrect?

```| installed_homebrew_packages_1 | SELECT name, version from homebrew_packages order by name limit 25;                                                         | 14400    | 0          | 0             | 0           | 0           | 0         | 0         | 0           | 0              | 0                   | 0                 | 0                 |```


I think that since you're just running `osqueryi --json "select * from osquery_schedule;"`, you don't actually have any queries scheduled.

You'd also have to pass a config file with the scheduled queries to osqueryi (or tls config) and wait for it to execute those queries before you get data on scheduled query execution.

You probably want to schedule a query to regularly pull data from the `osquery_schedule` table

That doesn't make any sense though, how would I pass a config to osqueryi? and these scheduled queries do run

right, but they're running somewhere else, e.g., through osqueryd

and you have an entirely-separate entity, osqueryi, that you're asking to tell you about scheduled queries

and it can't tell you about scheduled queries for osqueryd afaik

you can pass a config to osqueryi the same* way you do to osqueryd, it's a symlink and mostly the flags are the same

(* except if you need to like... enable events and such)

shouldn't this give some output? `sudo osqueryi --profile 2 --profile-delay 1 "select * from users;" --json`

I don't think it should give output unless the query fails due to an error.

btw I'm not super familiar with the profiling code, that was based on a quick glance at `osquery/main/main.cpp` after grepping for `profile`

Also, a while back someone suggested having a `osqueryi --connect /path/to/osqueryd/extension/socket.em` such that you could inspect the runtime status of an `osqueryd` process. It sounds like that would be helpful here.

This feature does not exist, it was only suggested.